Hacks, Embezzlements, and 401(k) Mismanagement – What You Can Do to Protect Your Retirement Nest Egg

Washington, DCWhen asked why he robbed banks, Willie Sutton reportedly replied, “Because that’s where the money is.” Now, however, roughly $5 trillion, or a fifth of all U.S. retirement assets, sit in 401(k) accounts. Today’s Willie Suttons are there, too, as recent ERISA lawsuits and criminal prosecutions confirm.

Don’t stuff your money in the mattress, though – retirement plan participants can protect themselves with some sound ERISA plan security management and some legal help, where necessary.

The risks to 401(k) retirement savings fall into two basic categories: first, breach of the fiduciary duties set forth ERISA, mostly relating to bad investment options and excessive fees, and second, criminal theft, either through embezzlement or cyber hacking.

Faithless Fiduciaries

The story of the year in ERISA litigation may turn out to be the explosion of breach of fiduciary duty lawsuits. There is a cluster of lawsuits brought by employees of investment management firms, including Invesco, Franklin Templeton and Fidelity, who argue that by offering primarily proprietary funds for investment, their employer/plan administrator was guilty of self-dealing in violation of ERISA.

Another group of class action lawsuits targets large universities, such as Vanderbilt, NYU, Yale, Duke and Brown. A third category looks at very large employers, like the Home Depot. Among other things, these lawsuits allege that the plans failed to take advantage of discounted investment management fee arrangements commonly offered to very large plans.

Across the board, these fiduciary duty lawsuits undertake the challenging task of demonstrating that individual plan accounts would have been worth more had the fiduciaries in charge of monitoring investments acted solely in the best interest of participants and beneficiaries rather than from mixed motives that may have involved benefitting the employer, as well.

Straight Up Stealing

Although less common, embezzlement is also a risk. In August of this year, it became clear that the owner of a business in Kansas would serve 50 months in prison and pay $4.3 million in restitution for bank fraud and violations of ERISA. Brenda Wood took approximately $31,403 in employee 401(k) contributions for her own use rather than remitting them to the PCI Building Services Inc. 401(k) plan.

In another case, the office manager of an anesthesiology firm was found guilty of embezzling $120,313 in employee deferrals to a 401(k) fund. He was sentenced to 37 months in federal prison and three years of supervised release.

There is also no reason to believe that 401(k) accounts are immune from the threats of cyber hacking. The likely targets are thought to be plan sponsors, themselves, rather than the better-protected record keepers and custodians. If Equifax can be hacked, why not your employer? A well-tended nest egg can be a very tempting target.

What Can You Do?

Fortunately, there is a quite a lot you can do. First and foremost, read your 401(k) account statements, especially the entries describing recent activity and vested value. If you work for a company that is like some of those recently targeted in litigation – an investment manager or a very large organization, for example – look for the risks identified in those lawsuits.

Does the plan offer a wide range of investment options or are all or most of the funds managed by the employer? If employer stock is an option, how well is it performing? What about the mid-to-longer term performance of other investment options? How many investment choices are offered? Too few may make sensible diversification difficult. Too many may suggest that the plan’s investment committee is not exercising appropriate oversight.

What fees does the plan pay and to whom? Are any of the third party administrators, like a record keeper, related to the employer/plan administrator? Whether a fee is reasonable may depend on the size of the plan and current financial and business conditions, but some up-to-date internet research may give you a rough idea of what is reasonable to expect.

If there are oddities in your statement, ask questions and be persistent about answers that do not make sense. In the PCI embezzlement case described above, some trusting participants initially accepted the embezzling owner’s initial explanation that missing contributions were simply being held in escrow.

Do not hesitate to ask you plan administrator about internal risks. For example, how is data transmitted and stored? Have they done due diligence on vendors and others with whom they share data? Does your employer carry cyber insurance and what losses would be covered? The fact that you and your colleagues ask these questions may prompt appropriate action if your plan administrator is inadequately prepared.

Finally, review your own information security measures. Do you use strong passwords and change them regularly? Be careful to avoid security questions for which the answers may be found in your social media. Check your account balances frequently and consider adding email alerts to notify you when changes are made. Where possible, ask for two-factor authentication to gain access to your accounts.

Above all, get help, including legal help, when you need it. The Willie Suttons of the world have been quick and clever about adapting to a new world where the money is as likely to be in an ERISA 401(k) plan as it is in the bank. Plan participants must be agile about protecting their savings, as well.